Skip to main content

Client Certificates and Custom CAs ⭐


This page describes how to use the Client Certificates and Custom CAs Plugin that is provided by the Management Center for the Pro Edition of Eclipse Mosquitto (MMC).


Custom Certificates Feature can only be accessed by users who can create connections. So, only by admin users.

Client Certificates and Custom CAs Overview

The User Client Certificates Feature provides an alternative to password authentication when connecting to your Mosquitto brokers. If your Mosquitto instance uses a certificate signed by a custom CA, you can still establish an encrypted connection using MMC with it. For that CA certificate can be uploaded for the given broker connection.

Enable Custom Certificates Plugin

To enable Custom Certificates Feature, make sure you are using the Pro Edition of Mosquitto and that you have the feature enabled in your license. Also, ensure that your config file (specified with CEDALO_MC_PROXY_CONFIG environmental variable or by default saved in management-center/config/config.json) contains the following entry inside of the plugins array:

"name": "tls"

On start-up, the Management Center will print a message that the tls plugin is enabled and loaded into the console:

Loaded plugin: "application_tokens" (Cedalo Application tokens)

Use Custom Certificates with a specific Connection

To use a client certificate and/or custom CA certificate, go to the Create Connection Tab by selecting Connections view in the left menu bar, and in the top left, click "New Connection" button.


In the bottom of the Create Connection Tab, you will see the fields for uploading your certificates:


You can see two sections: "Server certificate" and "Client certificate", and the following fields:

  • Server certificate

    • Verify server certificate switch makes Management Center validate Mosquitto broker server certificate. We recommend always leaving it on.

    • CA Certificates is a Certificate Authority Certificate. The Management Center will trust the authority whose certificate you upload in this field. Upload a certificate here in case your broker instance uses a certificate signed by an unknown/custom CA.

  • Client certificate

    • Cetificate upload a certificate to be used by the Management Center when connecting to the broker. This certificate will be validated by the broker

    • Private Key required field if you uploaded a client certificate using Certificate option. This is a private key that will be used by the Management Center to handle encryption with a given broker.


Certificates can also be downloaded by clicking on the download cloud icon next to the certificate field.


In case you want to use certificates with an existing connection, just click on this connection in the Connections view and make the appropriate changes to the "Server certificate" and "Client certificate" sections